November 2012 Archives

App::perlall 0.27, a better perlbrew at CPAN for multiple global perls, now patches some of the known security problems with buffer-overflows and use-after-free errors for the perl production releases.

I currently patch only 4 known errors for non-threaded perls from 5.10 to 5.16. The latest "security fix" 5.14.3, blead and threaded perls are in a worse shape. I will add more fixes to App::perlall for these perls later. The amount of work is overwhelming.
There are at least 2 more buffer-overflows and use-after-free errors which need to be backported.

Note that Devel::PatchPerl is the modularisation for Devel::PPPort's buildperl which only patches perl to make them compile. Problem is that clang -faddress-sanitizer does not compile when it detects overflows or use-after-free, it SEGV's. Which is good.

I find it rather troublesome that so-called maintenance perl security releases do not fix those errors (they are typically ignored, the special word is warnocked), and some releases add even more security problems than fixing it. E.g. 5.14.3-nt has three more such problems than 5.14.2-nt, which has only 3 known problems.

I also find it rather troublesome that the perl5 porters still do not use clang -faddress-sanitizer (now renamed to -fsanitize=address as there is also a new -fsanitize=threads which we use for parrot) or at least valgrind or gcc mudflap to check their release candidates against reported pointer errors.